nginx 作为具有多个域和主机的反向代理

nginx 作为具有多个域和主机的反向代理

这个问题可能已经被问过好几次了,但是根据我能找到的所有结果以及我的一点知识,我有点迷茫了。我正在使用 Fedora 29。

我尝试用 nginx 来做的事情:

  • 使用一个 let's encrypt ssl 证书和多个域名
  • 将每个域映射到特定的内部主机(配置文件中的 DNS 或 IP,我不介意,无论什么都可以)
  • 所有主机都已在内部使用 SSL(无可用的 http - 多个监听端口)
  • 如果你从外部使用 http,我希望重定向到 https

样本 :

我该怎么做呢?Let's encrypt 自动为我配置了 nginx 配置,但这似乎有点太多了。


非常感谢您的回答,我觉得我取得了一些进展,即使目前没有工作。我在这里发布我的完整配置文件,因为我现在有一个“502 Bad Gateway”错误。IP 与反向代理不在同一子网中,但完全可访问,没有防火墙或路由问题。

知道我可以在哪里继续前进吗?在原始配置中,还有一个包含密码和协议的 certbot conf 文件。也许我需要重新包含它?

另外:我尝试访问的内部服务器具有使用我自己的 AD CS 签名的证书,但反向代理上没有安装根证书。也许我应该这样做?

# For more information on configuration, see:
#   * Official English Documentation: http://nginx.org/en/docs/
#   * Official Russian Documentation: http://nginx.org/ru/docs/

user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;

# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;

events {
    worker_connections 1024;
}

http {
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile            on;
    tcp_nopush          on;
    tcp_nodelay         on;
    keepalive_timeout   65;
    types_hash_max_size 4096;

    include             /etc/nginx/mime.types;
    default_type        application/octet-stream;

    # Load modular configuration files from the /etc/nginx/conf.d directory.
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;

    server {
        listen 80;
        server_name  _;
        return 301 https://$host$request_uri;
    }

    server {
        listen  443 ssl;
        server_name scans.domain.com;
        ssl  on;
        ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; # managed by Certbot

        location  / {
                proxy_pass  https://192.168.XX.YY/;
        }
    }
}

答案1

为了让 NGINX 将多个域名解析为独立代理,您需要为所使用的每个域设置一个服务器块(是的,您需要includeLE 提供的服务器块):

server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname1.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name test.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname3.domain.local:80/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } } server { listen 443 ssl; server_name www.domain.com; ssl on; ssl_certificate /etc/letsencrypt/live/www.domain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/www.domain.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; location / { proxy_pass https://hostname2.domain.local:1234/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade; } }

答案2

在您的 http.conf 配置中,您可以指定一条规则来重定向所有通过端口 80 的流量进行转发(与域无关): server { listen 80; server_name _; return 301 https://$host$request_uri; }

如果您尝试转发 https > http,那么您还需要一个反向代理配置,如下所示:

server { listen 443 ssl; server_name application.domain.com; ssl on; ssl_certificate /etc/ssl/public/application.domain.com.combined; ssl_certificate_key /etc/ssl/private/application.domain.com.key; location / { proxy_pass http://hostname1.domain.local:80/; } }

请注意,您不一定需要将每个网站放在不同的端口上,nginx 知道根据域名向您的客户端提供什么内容。

问候,

相关内容